PreToolUse hook does not prevent tool execution — fires after the fact

Resolved 💬 3 comments Opened May 9, 2026 by kscott Closed May 12, 2026

Summary

A PreToolUse hook configured to block a specific Bash command (in this case, sed) did not prevent the command from running. The hook fired and blocked agent continuation, but the tool had already executed and caused the side effect it was meant to prevent.

Expected behavior

A PreToolUse hook should act as a gate: if the hook returns a deny decision or non-zero exit, the tool must not run. The name "PreToolUse" implies the hook fires before the tool executes.

Actual behavior

The Bash tool ran and completed (executing sed -i on a file). Only after execution did the hook fire, blocking further agent continuation. The file was modified before the hook had any effect.

Hook configuration

The hook is configured in ~/.claude/settings.json as a PreToolUse hook on the Bash tool. It inspects the command for sed usage and returns a deny decision.

Impact

The hook exists specifically because sed was used in a prior session to destroy a file with no backup. The PreToolUse hook is the mechanical enforcement meant to prevent recurrence. If it doesn't fire before execution, it provides no protection — only a post-mortem.

Repro

  1. Configure a PreToolUse hook on the Bash tool that denies commands matching a specific pattern (e.g., containing sed)
  2. Ask Claude to run a Bash command matching that pattern via SSH (ssh host "sed -i ...")
  3. Observe: the command executes and completes, then the hook fires

Notes

It's possible the hook fires correctly for local commands but the SSH wrapper causes it to be evaluated after the subprocess is already running. Either way, the contract is broken.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗